GO-2026-4863 Contrast BadAML injection allows arbitrary code execution in github.com/edgelesssys/contrast

Contrast BadAML injection allows arbitrary code execution in github.com/edgelesssys/contrast...

GO-2026-4901 nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui...

PT-2026-29942

MinIO is Vulnerable to SSE Metadata Injection via Replication Headers in github.com/minio/minio...

PT-2026-29944

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui...

PT-2026-29926

Contrast BadAML injection allows arbitrary code execution in github.com/edgelesssys/contrast...

CVE-2026-34455 Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes

Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sortby query parameter directly to Eloquent's orderBy without validation, enabling SQL injection. The application us...

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence AI coding assistant, Claude Code, had been inadvertently released due to a human error. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement...

PT-2026-33861

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description An environment variable injection issue occurs because the software loads the .env file from the current working directory before the trusted state-dir configuration. This allows untrusted...

UBUNTU-CVE-2026-34165

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a...

CVE-2026-34165

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a...

HCL Aftermarket DPC Hardcoding Vulnerability

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from a hard-coded vulnerability that originates from hard-coded sensitive data, which can be exploited by an attacker to gain access to source code or retrieve these...

SUSE CVE-2026-33748

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is...

CVE-2026-5128

...

PT-2026-29007

Name of the Vulnerable Software and Affected Versions ArthurFiorette steam-trader version 2.1.1 Description A sensitive information exposure issue exists. An unauthenticated attacker can send a request to the /users API endpoint to retrieve sensitive Steam account data, including the account...

ANT-2026-6SNS6KMP · GitoxideLabs/gitoxide · Remote Code Execution

rce high GHSA-f26g-jm89-4g65 Severity Claude high · Security research firm - · Maintainer high Discovered by Claude Mythos Preview REPORT The report below was sent to the maintainer and sealed at approval. ANT-2026-6SNS6KMP: RCE when updating a Git submodule of a malicious repository Updating a G...

EUVD-2026-16941

A vulnerability was identified in kazuph mcp-docs-rag up to 0.5.0. Affected is the function cloneRepository of the file src/index.ts of the component addgitrepository/addtextfile. The manipulation leads to os command injection. The attack needs to be performed locally. The exploit is publicly...

CVE-2026-5007

A vulnerability was identified in kazuph mcp-docs-rag up to 0.5.0. Affected is the function cloneRepository of the file src/index.ts of the component addgitrepository/addtextfile. The manipulation leads to os command injection. The attack needs to be performed locally. The exploit is publicly...

CVE-2026-5007 kazuph mcp-docs-rag add_git_repository/add_text_file index.ts cloneRepository os command injection

A vulnerability was identified in kazuph mcp-docs-rag up to 0.5.0. Affected is the function cloneRepository of the file src/index.ts of the component addgitrepository/addtextfile. The manipulation leads to os command injection. The attack needs to be performed locally. The exploit is publicly...

CVE-2026-5007

A vulnerability was identified in kazuph mcp-docs-rag up to 0.5.0. Affected is the function cloneRepository of the file src/index.ts of the component addgitrepository/addtextfile. The manipulation leads to os command injection. The attack needs to be performed locally. The exploit is publicly...

CVE-2026-5007

Affects kazuph mcp-docs-rag up to 0.5.0. The vulnerable component is the cloneRepository function in src/index.ts (add_git_repository/add_text_file). The issue is OS command injection, exploitable locally. An exploit is publicly available, and the project was informed via an issue report but has ...